Equicrypt is a Trusted Third Party (TTP) protocol considered in the
European ACTS project number 051 (OKAPI) dealing with security,
cryptography and authentication in computer networks. The Equicrypt
protocol is meant to be a third party betwen video-on-demand service
providers and customers.
The formal language LOTOS was used to specify the Equicrypt protocol and
verify its robustness to attacks by an intruder. We describe how this
security protocol can be modelled in LOTOS at an appropriate abstraction
level, and how security properties can be expressed and verified
automatically. We describe a generic intruder process and its modelling.
We have used the model-based CADP verification tools from the Eucalyptus
toolbox to discover some successful attacks against this protocol. More
precisely, all properties are fulfilled without the intruder, but some
of them are falsified when the intruder is added. The diagnostic sequences
can be used almost directly to exhibit the scenarios of possible attacks on
the protocol. Two of them have been presented.

Conclusions:

Until very recently, the model-checking approach was not felt adequate
to tackle the verification of security protocols, but our recent results
prove the contrary and open new avenues for model-checking. The asset of this
approach lies in the capability of finding the attacks as diagnostic
sequences of unsatisfied properties.
For a typical configuration, the generated model was composed of 786,681
states and 4,161,795 transitions. It took 20 hours of CPU time on a Sun
Ultra-2 workstation running Solaris 2.5 with 800 Mbytes of RAM. After
minimization with the strong bisimulation, the LTS had still 69,754
states and 520,633 transitions. The minimization was carried out in 20
minutes of CPU time on the same workstation.